rekor: clarify suitable sources of time

Signed-off-by: William Woodruff <[email protected]>
sigstore · Aug 9, 2024 · d9edb63 · d9edb63
1 parent 2441465
commit d9edb63
Show file tree

Hide file tree

Showing 10 changed files with 24 additions and 18 deletions.
diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
@@ -319,7 +319,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",

diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
@@ -512,7 +512,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",

diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
@@ -25,7 +25,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",

diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json
@@ -236,7 +236,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",

diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
@@ -131,9 +131,10 @@ pub struct TransparencyLogEntry {
     pub integrated_time: i64,
     /// The inclusion promise/signed entry timestamp from the log.
     /// Required for v0.1 bundles, and MUST be verified.
-    /// Optional for >= v0.2 bundles if another source of signed time
-    /// is present.
-    /// MUST be verified if no other source of signed time is present,
+    /// Optional for >= v0.2 bundles if another suitable source of
+    /// time is present (such as another source of signed time,
+    /// or the current system time for long-lived certificates).
+    /// MUST be verified if no other suitable source of time is present,
     /// and SHOULD be verified otherwise.
     #[prost(message, optional, tag = "5")]
     pub inclusion_promise: ::core::option::Option<InclusionPromise>,

diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto
@@ -104,9 +104,10 @@ message TransparencyLogEntry {
         int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
         // The inclusion promise/signed entry timestamp from the log.
         // Required for v0.1 bundles, and MUST be verified.
-        // Optional for >= v0.2 bundles if another source of signed time
-        // is present.
-        // MUST be verified if no other source of signed time is present,
+        // Optional for >= v0.2 bundles if another suitable source of
+        // time is present (such as another source of signed time,
+        // or the current system time for long-lived certificates).
+        // MUST be verified if no other suitable source of time is present,
         // and SHOULD be verified otherwise.
         InclusionPromise inclusion_promise = 5;
         // The inclusion proof can be used for offline or online verification